Combining program verificationwith component-based architectures

Alexander SenierBOB 2018

Berlin, February 23rd, 2018

23.02.2018 2

AboutComponolit

23.02.2018 3

What happens when we use what's best?

23.02.2018 4

What’s Best?Mid-90ies: DOS+Pascal

program WriteName;var i : Integer; {variable to be used for looping} Name : String; {declares the variable Name as a string}begin Write('Please tell me your name: '); ReadLn(Name); {Return string entered by the user} for i := 1 to 100 do begin WriteLn('Hello ', Name) end; readln;end.

23.02.2018 5

What’s Best?End of 90ies: Linux+C

if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; ... other checks ... fail: ... buffer frees (cleanups) ... return err;

23.02.2018 6

What’s Best?Mid 2000s: Linux/FreeBSD/NetBSD+Ada

type Day_type is range 1 .. 31;type Month_type is range 1 .. 12;type Year_type is range 1800 .. 2100;type Hours is mod 24;type Weekday is (Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday);type Date is record Day : Day_type; Month : Month_type; Year : Year_type; end record;

23.02.2018 7

What’s Best?Today and in the Future

That’s what this talk is about.

23.02.2018 8

“Use what’s best”

⇒“Trustworthy systems”

23.02.2018 9

¬ “Use what’s best”

⇒???

23.02.2018 10

What’s Best?Our answer (so far) – Outline

■ Problem

▪ Unsafe programming languages

▪ Monolithic systems

■ Solution

▪ Component-based systems

▪ Program verification

■ Future

▪ Verification of high-level models

▪ Protocol verification

23.02.2018 11

ProblemUnsafe Programming Languages

■ Stragefright (July 2015)

▪ Billions of devices affected

▪ Remote code execution, privilege escalation

▪ As easy as sending video/image

■ Problem not solved since

▪ > 350 bugs (critical/high)

▪ Integer overflows

▪ Integer underflows

▪ Buffer overflows

▪ Heap overflows

23.02.2018 12

ProblemMonolithic Systems

■ Typical System Architecture

■ Most systems monolithic today

▪ Complex features

▪ Large, shared services

▪ Weak isolation

■ Consequences

▪ Large Trusted Computing Base

▪ High error probability

▪ Unrestricted error propagation

Linux Kernel(Networking, Devices Drivers, File Systems,

Encryption, Security Policies, ...)

BluetoothService

ServiceY

...Wifi

Service

MediaFramework

FrameworkX

...

App 1 App nApp 2 App 3 App 4 ...

Trusted Computing Base

23.02.2018 13

SolutionOur Constraints

■ Minimal Trusted Computing Base

■ System/low-level programming

■ Low overhead

23.02.2018 14

SolutionThe Genode OS Framework*

■ Recursive system structure

▪ Root: Microkernel

▪ Parent: Responsibility + control

▪ Isolation is default

▪ Strict communication policy

■ Everything is a user-process

▪ Application

▪ File systems

▪ Drivers, Network stacks

■ Hierarchical System Architecture

*) https://genode.org

23.02.2018 15

SolutionMinimal Trusted Computing Base

■ Trusted Computing Base

▪ Software required for security

▪ Parents in tree

▪ Services used

■ TCB reduction

▪ Application-specific

▪ Example: File system

■ Per-application TCB

23.02.2018 16

Does that mean we have to reimplement everything?

23.02.2018 17

Architecture for Trustworthy SystemsStrategy #1: Policy Objects

■ Can’t reimplement everything

■ Solution: software reuse

▪ Untrusted software (gray)

▪ Policy object (green)

▪ Client software (orange)

■ Policy object

▪ Establishes assumptions of client

▪ Sanitizes

▪ Enforces additional policies

■ Policy objects

Network

Stack

Web

browser

Protocol validator

(e.g. TLS)

23.02.2018 18

Architecture for Trustworthy SystemsStrategy #2: Trusted Wrappers

■ Untrusted software (gray)

▪ E.g. disk, file system, cloud

■ Trusted wrapper

▪ Mandatory encryption

■ Client software (orange)

▪ No direct interaction with untrusted components

▪ Minimal attack surface

■ Trusted wrapper

Network

Stack

Web

Browser

VPN

Component

23.02.2018 19

Architecture for Trustworthy SystemsStrategy #3: Transient components

■ Untrusted software

▪ E.g. Media decoder

▪ No chance to get this right!

■ Transient component

▪ Temporarily instantiate untrusted software for single file/stream

▪ Expose only simple interfaces (e.g. PCM audio)

▪ Cleanup on completion

■ Transient component

Network Audio PlayerDecoder

read-only simple

Controller

23.02.2018 20

But, what if trusted components fail?

23.02.2018 21

High-assurance ImplementationA simple task: Calculating abs()

// Calculate absolute of X1 int abs_value (int X)2 {3 if (X > 0) {4 return X;5 } else {6 return -X;7 };8 }

// Let’s try abs_value()abs_value(-12345) ⟹ 12345abs_value(56789) ⟹ 56789abs_value(0) ⟹ 0abs_value(-2147483648) ⟹ -2147483648

23.02.2018 22

High-assurance ImplementationAt a glance: SPARK*

■ Language + verification toolset

▪ Imperative, object-oriented

▪ Designed for error avoidance

▪ Strong type system

▪ Formal contracts

*) http://spark-2014.org

■ Depth of verification is flexible

▪ Data and control flow analysis

▪ Dependency contracts

▪ Absence of runtime errors

▪ Functional correctness

23.02.2018 23

High-assurance ImplementationSPARK benefits

■ Well-suited for system-level development

▪ Compiled using GCC (via GNAT Ada frontend)

▪ Supports runtime-free mode (via profiles)

▪ Integration of full Ada and bindings to C

■ Used in various critical and system-level projects

▪ Muen Separation Kernel (https://muen.sk)

▪ Satellite software, air traffic control, secure workstation

23.02.2018 24

High-assurance ImplementationOur previous example

1 function Abs_Value (X : Integer) return Integer 2 with 3 -- Uncomment the following line to prove 4 -- Pre => X /= Integer'First, 5 Post => Abs_Value'Result = abs (X) 6 is 7 begin 8 if X > 0 then 9 return X;10 else11 return -X; 12 end if;13 end Abs_Value;

Proving...Phase 1 of 2: generation of Global contracts ...Phase 2 of 2: flow analysis and proof ...abs_value.adb:11:14: medium: overflow check might fail (e.g. when Abs_Value'Result = 0 and X = -2147483648)One error.

23.02.2018 25

High-assurance ImplementationBitwise swap using XOR

1 with Interfaces; use Interfaces; 2 3 procedure Bitwise_Swap (X, Y : in out Unsigned_32) with 4 Post => X = Y'Old and Y = X'Old 5 is 6 begin 7 X := X xor Y; 8 Y := X xor Y; 9 -- Uncomment the following line to prove10 -- X := X xor Y;11 end Bitwise_Swap;

Proving...Phase 1 of 2: generation of Global contracts ...Phase 2 of 2: flow analysis and proof ...bitwise_swap.adb:4:11: medium: postcondition might fail, cannot prove X = Y'old (e.g. when X = 0 and Y'Old = 4294967295)One error.

23.02.2018 26

Let’s put it together.

23.02.2018 27

Componolit PlatformBaseband firewall – Architecture

Phone

USB

Laptop

Baseband

Proxy

Genode (base system)

USB Filter

VirtualBox

Android

Proxy

23.02.2018 28

Componolit PlatformBaseband firewall – Implementation

23.02.2018 29

What’s Best?Future: More Verification!

■ Interactive theorem proving

▪ Functional specification in Isabelle/HOL

▪ Prove correspondence with SPARK program

■ Protocol verification

▪ See ourselves implementing communication protocols…

▪ ...over and over again

■ Goal

▪ Closed specification of communication protocols

▪ Verification of protocol properties using temporal logic

▪ Generation of code

Interested in ideas!

23.02.2018 30

Questions?

Alexander Seniersenier@componolit.com

@Componolit · componolit.com · github.com/Componolit

2017-02-03 31

2017-02-03 32

StagefrightBugs rated critical/high since 2015